Skip to content

Commit

Permalink
feat: enable INET_DIAG
Browse files Browse the repository at this point in the history
Fixes: #1028

INET_DIAG_DESTROY is used by CNIs such as Cilium to terminate
connections in other containers. KSPP recommends to disable it due to
"Prior to v4.1, assists heap memory attacks; best to keep interface
disabled.".

Linux 4.1 was almost 10 years ago and Cilium with their eBPF-based
kube-proxy replacement is widely used by the community and not having
this enabled leads to weird networking issues (e.g. when coredns pods
get a different IP due deployment restarts UDP dns clients keep sending
connections to the old IP)

Signed-off-by: Ströger Florian <florian@florianstroeger.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
(cherry picked from commit 79a4f92)
  • Loading branch information
Preisschild authored and smira committed Sep 20, 2024
1 parent 736ecae commit a50180b
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 2 deletions.
8 changes: 7 additions & 1 deletion kernel/build/config-amd64
Original file line number Diff line number Diff line change
Expand Up @@ -1163,7 +1163,11 @@ CONFIG_INET_IPCOMP=y
CONFIG_INET_TABLE_PERTURB_ORDER=16
CONFIG_INET_XFRM_TUNNEL=y
CONFIG_INET_TUNNEL=y
# CONFIG_INET_DIAG is not set
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
CONFIG_INET_UDP_DIAG=y
# CONFIG_INET_RAW_DIAG is not set
CONFIG_INET_DIAG_DESTROY=y
CONFIG_TCP_CONG_ADVANCED=y
# CONFIG_TCP_CONG_BIC is not set
CONFIG_TCP_CONG_CUBIC=y
Expand Down Expand Up @@ -1564,6 +1568,7 @@ CONFIG_BRIDGE_EBT_LOG=y
CONFIG_BRIDGE_EBT_NFLOG=y
# CONFIG_BPFILTER is not set
CONFIG_IP_DCCP=y
CONFIG_INET_DCCP_DIAG=y

#
# DCCP CCIDs Configuration
Expand All @@ -1587,6 +1592,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
CONFIG_SCTP_COOKIE_HMAC_MD5=y
# CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set
CONFIG_INET_SCTP_DIAG=y
CONFIG_RDS=y
# CONFIG_RDS_RDMA is not set
# CONFIG_RDS_TCP is not set
Expand Down
7 changes: 6 additions & 1 deletion kernel/build/config-arm64
Original file line number Diff line number Diff line change
Expand Up @@ -1198,7 +1198,11 @@ CONFIG_INET_IPCOMP=y
CONFIG_INET_TABLE_PERTURB_ORDER=16
CONFIG_INET_XFRM_TUNNEL=y
CONFIG_INET_TUNNEL=y
# CONFIG_INET_DIAG is not set
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
CONFIG_INET_UDP_DIAG=y
# CONFIG_INET_RAW_DIAG is not set
CONFIG_INET_DIAG_DESTROY=y
CONFIG_TCP_CONG_ADVANCED=y
# CONFIG_TCP_CONG_BIC is not set
CONFIG_TCP_CONG_CUBIC=y
Expand Down Expand Up @@ -1606,6 +1610,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
CONFIG_SCTP_COOKIE_HMAC_MD5=y
# CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set
CONFIG_INET_SCTP_DIAG=y
CONFIG_RDS=y
# CONFIG_RDS_RDMA is not set
# CONFIG_RDS_TCP is not set
Expand Down
1 change: 1 addition & 0 deletions kernel/build/scripts/filter-hardened-check.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
'CONFIG_SECURITY_SELINUX_DEVELOP', # SELinux enabled, but permissive unless enforcing=1. TODO: force enforcing mode when complete
'CONFIG_SPECULATION_MITIGATIONS', # Renamed in the kernel to 'CONFIG_CPU_MITIGATIONS'
'CONFIG_EFI_DISABLE_PCI_DMA', # enabling this breaks boot with no visible error messages to debug (https://github.com/siderolabs/talos/issues/8743)
'CONFIG_INET_DIAG', # last vulnerability prior to v4.1. Required for CNIs such as Cilium to terminate sockets. (https://github.com/siderolabs/pkgs/issues/1028)
}

"""
Expand Down

0 comments on commit a50180b

Please sign in to comment.